Financial sector companies are evolving digitally, with cybersecurity becoming of ever-increasing importance. Organizations are increasingly aware of the impact of this aspect on their business strategies. According to the latest report by consulting firm Deloitte titled ‘Cybersecurity insights 2023: Budgets and benchmarks for financial services institutions’, businesses are realizing the necessity of incorporating network security expenses into their budgets.
A study showing the importance of cybersecurity in financial services was conducted in June 2023 among 61 organizations. Experts identified 3 key trends dominating the industry. The first is the constrained budgets of organizations, which also affect funds allocated for IT security. The second is digital transformation, which is the main business factor ensuring cybersecurity, amid increasing regulatory pressure, including in managing this risk. The third industry trend is a change in the business model of organizations dealing with cybersecurity. These changes reflect the growing strategic role of this aspect for the company.
The Deloitte report provides Chief Information Security Officers (CISOs), IT directors, CEOs, and boards with insights that will help them align their actions with prevailing market standards.
The Role of Cybersecurity in Business Strategy
The Deloitte study ‘Reshaping the Cybersecurity Landscape’ from 2020 clearly showed that the most important issue in realizing the strategic importance of cybersecurity is to look beyond IT and consider its impact on business strategy.
“Our latest analysis shows that many companies have taken to heart the message from three years ago. sixty-one percent of financial institutions stated that their organization applies a global, centralized, and consolidated operating model. It focuses among other things on providing services within all business areas of the company or establishing standards as best practices. Importantly, within this model, the institution focuses on all aspects of cybersecurity, not only in terms of technology and IT, but also places emphasis on business risk and talent,” says Przemysław Szczygielski, leader of services for the financial sector in Poland, managing partner of the Risk Advisory department in Poland and the Baltic countries, Deloitte.
The second most popular operating model (24% of companies) is globally centralized and focused on IT. It leaves certain aspects of business organization cybersecurity undivided among individual units. The third most commonly used approach is to focus on cyber operations (12% of respondents). Only 2% of institutions represent a model based on cyber solutions and matching them to a specific unit.
Outsourcing, but Not for the Cloud
The authors of the report indicate that almost 80% of financial institutions allocate part of their network security budget for services provided by subcontractors, while 21% of respondents do not outsource any operations related to cybersecurity. The remaining group uses outsourcing – 42% of these respondents declare that over a quarter (<26%) of their cybersecurity budget is allocated for outsourcing activities to external subcontractors. Interestingly, the largest group (58%) are respondents who allocate no more than a quarter of their budget to outsourcing.
The area where outsourcing is most commonly used is operational security centers (43%), followed by detecting and responding to incidents and “red teaming” (32%), an offensive technique simulating an attack on an employee. Additionally, 15% of respondents also indicated outsourcing of operations related to network security, training, and cybersecurity awareness as well as physical security. Nearly all financial service institutions prefer to secure the cloud in-house – only 4% do not make this decision.
Cloud-Based Digital Transformation
For financial institutions, the implementation of new technologies is crucial for business development and cost control. As the industry rebuilds after shocks caused by the COVID-19 pandemic, and with increasingly frequent incidents compromising network data security, companies are enhancing their digital transformation strategies. Cybersecurity is integrated with new processes and systems as they are created.
“Over the past five years, the broadly understood cloud remains the main priority during the digital transformation of financial service institutions. The same situation applies to data analysis, which is second in the ranking. The last three years, and especially last year, saw a noticeable increase in interest in artificial intelligence. While the first two topics are quite well known in companies, with wider application of AI in company processes, the number of challenges for information security directors will increase.” notes Ścibor Łąpieś, partner, leader of the Technology, IT, M&A team, Deloitte.
The last two positions in the list of priorities for CISOs are completely new compared to the previous edition of the study from 2020. The penultimate is a new or updated enterprise resource planning (ERP) system and operational technology. At the end of the list, there are: blockchain and cryptocurrency.
Decreasing Cybersecurity Budgets
One of the problems for network security directors is budget pressure. Cost-cutting in financial institutions has simultaneously reduced budgets for cybersecurity. The banking and capital markets segment secured 0.88% for such activities in 2021, and in 2023 it was already 0.80%. A noticeable decrease was noted in the insurance industry, where from 0.41% of the budget, spending on cybersecurity fell to 0.20%. The only increase was observed in the asset management sector – from 0.40% maintained in 2020 and 2021, 0.49% was recorded this year.
Within these budgets, the spending priorities largely align with those presented in Deloitte’s cybersecurity reports for financial institutions for 2020 and 2021. The majority of spending in 2023 still consists of: strategy, talent and management (24%), infrastructure and network security (20%), threat detection and response (16%).
“Given that cybersecurity increasingly plays a central role in managing business risk, CISO strategies are increasingly based on their companies’ broader needs. Our study identified two main business imperatives that are key factors influencing network security. These include a transformation program and strategy, indicated by 83% of respondents, and identified risks and issues relevant to 75% of respondents,” says Michał Sosinka, associate partner in the Cybersecurity, Risk Advisory, Deloitte.
The full report can be downloaded here.
About the Study
The “Financial Services Cybersecurity 2023” study was conducted by Deloitte & Touche LLP in June 2023 to provide the financial services industry with cyber operations benchmarking regarding size, relevance, and functioning. A total of 61 financial institutions participated in the survey, mostly from the banking and capital market sector. Most respondents reported that they operate in North American or Europe, Middle East, and Africa (EMEA) markets. Respondents were institutions of various sizes, with most reporting “medium-sized” revenues ranging from $500 million to $5 billion.